Grafana MCP server guide

Overview

The official Grafana MCP server provides comprehensive access to your Grafana instance and its surrounding ecosystem. With support for dashboards, datasource queries (Prometheus, Loki, Pyroscope), alerting, incident management, Grafana OnCall, and Sift investigations, this server enables AI agents to interact with your entire observability stack.

The server works with both local Grafana instances and Grafana Cloud, making it ideal for tasks like troubleshooting production issues, analyzing metrics and logs, managing dashboards, and coordinating incident response.

Metadata

Expand to view the MCP server's metadata

Server metadata

Name: grafana
Type: container
Description: Grafana integration for dashboard search, datasource queries, alerting, and incident response
Tier: Official
Status: Active
Transport: sse
Image: docker.io/mcp/grafana:latest
Target Port: 8000
Has Provenance: No

Permissions:
  Network:
    Insecure Allow All: true
    Allow Port: 443
Repository URL: https://github.com/grafana/mcp-grafana
Popularity: 1728 stars, 8120 pulls
Last Updated: 2025-10-21T02:31:32Z

Tools:
  - list_teams
  - search_dashboards
  - get_dashboard_by_uid
  - update_dashboard
  - get_dashboard_panel_queries
  - list_datasources
  - get_datasource_by_uid
  - get_datasource_by_name
  - query_prometheus
  - list_prometheus_metric_metadata
  - list_prometheus_metric_names
  - list_prometheus_label_names
  - list_prometheus_label_values
  - list_incidents
  - create_incident
  - add_activity_to_incident
  - resolve_incident
  - query_loki_logs
  - list_loki_label_names
  - list_loki_label_values
  - query_loki_stats
  - list_alert_rules
  - get_alert_rule_by_uid
  - list_oncall_schedules
  - get_oncall_shift
  - get_current_oncall_users
  - list_oncall_teams
  - list_oncall_users
  - get_investigation
  - get_analysis
  - list_investigations
  - find_error_pattern_logs
  - find_slow_requests
  - list_pyroscope_label_names
  - list_pyroscope_label_values
  - list_pyroscope_profile_types
  - fetch_pyroscope_profile

Environment Variables:
  - GRAFANA_URL (required): URL of the Grafana instance to connect to
  - GRAFANA_API_KEY (required): Service account token with appropriate permissions

Tags:
  grafana, dashboards, visualization, monitoring, alerting, prometheus, loki, tempo, pyroscope, incidents, observability, metrics, logs, traces, sift, investigations, oncall

Example Command:
  thv run grafana

Usage

You'll need a Grafana service account token to authenticate with the Grafana API. The token must have permissions for the Grafana features you want to access (such as dashboards, datasources, or alerting). Refer to the Grafana service account documentation for details on creating tokens and configuring permissions.

UI

Select the grafana MCP server in the ToolHive registry.

In the Secrets section, add your Grafana service account token or select an existing secret that contains the token.

In the Environment Variables section, configure the connection to your Grafana instance:

• GRAFANA_URL: Your Grafana instance URL (for example, http://localhost:3000 for local instances or https://myinstance.grafana.net for Grafana Cloud)
• GRAFANA_ORG_ID (optional): The numeric organization ID if your Grafana instance has multiple organizations

Security tip

Enable outbound network filtering on the Network Isolation tab to restrict the server's network access. Update the allowed hosts to match your Grafana instance domain.

CLI

Create a secret containing your Grafana service account token:

thv secret set grafana-token

Run the server with your Grafana instance URL and the secret:

thv run \
  -e GRAFANA_URL=http://localhost:3000 \
  --secret grafana-token,target=GRAFANA_SERVICE_ACCOUNT_TOKEN \
  grafana

For Grafana Cloud, use your cloud instance URL:

thv run \
  -e GRAFANA_URL=https://myinstance.grafana.net \
  --secret grafana-token,target=GRAFANA_SERVICE_ACCOUNT_TOKEN \
  grafana

Enable network isolation to restrict the server's network access. Create a permission profile with your Grafana instance domain:

grafana-profile.json

{
  "network": {
    "outbound": {
      "insecure_allow_all": false,
      "allow_host": ["myinstance.grafana.net"],
      "allow_port": [443]
    }
  }
}

Then run with the custom profile:

thv run \
  -e GRAFANA_URL=https://myinstance.grafana.net \
  --secret grafana-token,target=GRAFANA_SERVICE_ACCOUNT_TOKEN \
  --isolate-network --permission-profile grafana-profile.json \
  grafana

If your Grafana instance has multiple organizations, add the GRAFANA_ORG_ID environment variable with the numeric organization ID (for example, -e GRAFANA_ORG_ID=2).

Debug mode

Add the -- separator followed by -debug to enable detailed logging of HTTP requests and responses:

thv run \
  -e GRAFANA_URL=http://localhost:3000 \
  --secret grafana-token,target=GRAFANA_SERVICE_ACCOUNT_TOKEN \
  -- -debug

Kubernetes

Create a Kubernetes secret containing your Grafana service account token:

kubectl -n toolhive-system create secret generic grafana-token \
  --from-literal=token=<YOUR_TOKEN>

Create a Kubernetes manifest to deploy the Grafana MCP server:

grafana.yaml

apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
metadata:
  name: grafana
  namespace: toolhive-system
spec:
  image: docker.io/mcp/grafana:latest
  transport: sse
  mcpPort: 8000
  proxyPort: 8080
  env:
    - name: GRAFANA_URL
      value: 'http://localhost:3000'
  secrets:
    - name: grafana-token
      key: token
      targetEnvName: GRAFANA_SERVICE_ACCOUNT_TOKEN

Apply the manifest to your Kubernetes cluster:

kubectl apply -f grafana.yaml

For Grafana Cloud, update the GRAFANA_URL in the manifest:

spec:
  env:
    - name: GRAFANA_URL
      value: 'https://myinstance.grafana.net'

If your Grafana instance has multiple organizations, add the GRAFANA_ORG_ID environment variable with the numeric organization ID:

spec:
  env:
    - name: GRAFANA_URL
      value: 'http://localhost:3000'
    - name: GRAFANA_ORG_ID
      value: '2'

Sample prompts

Here are some sample prompts you can use to interact with the Grafana MCP server:

• "Show me all dashboards related to Kubernetes monitoring"
• "Query the Prometheus datasource for CPU usage over the last hour for the api-service pod"
• "Get the recent alerts that are currently firing"
• "List all open incidents and show me details for the most recent one"
• "Find error patterns in the logs from the production namespace using Loki"
• "Who is currently on call for the backend team schedule?"
• "Create a new incident titled 'High memory usage on production cluster' with severity critical"
• "Show me the panel queries from the 'API Performance' dashboard"
• "Get label values for the namespace label from the Loki datasource"
• "List all Sift investigations from the past week"

Recommended practices

• Create service accounts with least-privilege permissions. Use fine-grained RBAC scopes to limit access to only the datasources, dashboards, and features required for your specific use case.
• Regularly rotate service account tokens and update the secrets in ToolHive.
• Enable network isolation to restrict the server's outbound network access to your Grafana instance domain only.
• For dashboards with large JSON configurations, use the get_dashboard_summary or get_dashboard_property tools to minimize context window usage instead of retrieving the full dashboard with get_dashboard_by_uid.
• When working with multi-organization setups, always specify the GRAFANA_ORG_ID to ensure operations target the correct organization.
• Enable telemetry to monitor API calls and track which Grafana resources are being accessed.
• For production deployments, consider using the debug mode temporarily to troubleshoot connection or permission issues, but disable it once everything is working correctly.